• Belgian cyber security startup OutKept received EUR 500K of Seed funding from Presto Ventures and BAN Vlaanderen
• The platform confronts phishing by offering bounties to ethical phishers
• While all companies are under threat of phishing attacks, SMEs are particularly vulnerable, and OutKept is especially beneficial for such companies
• OutKept will use the new investment to accelerate international scaling with particular attention to CEE

This January, the famous Czech VC fund Presto Ventures was announced as the lead investor in the Seed round of OutKept, the Belgian cyber security startup that confronts phishing. Presto Ventures secured half of the EUR 500K round while the rest came from BAN Vlaanderen’s angel investors.

The Beginnings and the Concept

OutKept’s co-founders Simon Bauwens and Dieter Tinel come from business consultancy and cyber security backgrounds respectively. They came together in 2020 when they realized that phishing was becoming an ever more acute problem and wanted to work together in the cyber security area. They saw a lot of media attention for ethical hacking and bug bounty platforms and realized that this model could make cybersecurity more accessible.

‘Most companies do not do enough in cyber security, but that is not strange at all because everything is horribly expensive. This made us think about how we could leverage an open community and bug bounty or gamification in this area of phishing prevention and whether an open community model with success-based incentives, i.e. bounties for successful phishing, can be a way to offer increased cyber security at a lower cost,’ Mr Bauwens recalls.

The duo admits that they couldn’t know whether they were the right people at the start. However, after they met at a webinar where they were both looking for co-founders, they were immediately impressed with each other’s backgrounds. With business and technical backgrounds respectively, Mr Bauwens and Mr Tinel agreed on a 50-50 partnership where the two complemented each other in terms of product management.

According to Mr Bauwens, it took the co-founders several months to settle on a concept that would accumulate all their ideas. What they came up with was a phishing simulation platform where an open community of ethical phishers created automated high-quality phishing simulations to help organizations reduce human cyber.

Within the platform, ethical phishers get rewarded for creating successful phishing emails (using generative AI assistance is encouraged) with bounties, similar to bug bounty programs for ethical hackers. A ‘Darwinistic’ algorithm ensures successful phishing emails are distributed more to relevant target groups, and less successful simulations are eliminated.

The Main Milestones and the First Investment

The prototype was ready by March 2021, and the two gathered the courage to ask an organization to test it. This organization allowed OutKept to send them (ethical) phishing emails for training purposes. The first ethical phishers were recruited at Howest University of Applied Sciences, Mr Tinel’s alma mater, among the students of their cyber security professional program.

By late April 2021, the first trial proved to be a success, and the test client became OutKept’s first paying client. Still, based on the test results, the team came up with major changes to make the product scalable. They took several more months to implement, and the first paying client was finally onboarded in June 2021.

From this point, OutKept started ramping up sales efforts and building up a representative portfolio of clients. Towards the end of 2022, the traction was clear, but it became apparent that more funds were needed to help the company sustain growth and scale.

As such, 2023 was mostly about fundraising efforts, as well as improving the product and adding customers. In February 2023, OutKept won the ECSO STARtup Award at the Barcelona Cybersecurity Congress and met some interesting investors there. Through referrals, the team eventually met Presto Ventures.

‘We immediately felt a click. They were the first investors from which we really felt a positive attitude, and an immediate understanding of what our added value or USP was in the market. Their understanding of cybersecurity clearly helped because until then we had struggled to explain things: there are not too many cybersecurity focused investors in Belgium…’ Mr Bauwens tells ITKeyMedia.

Presto Ventures’ partner Eduard Kucera, in turn, cites OutKept’s impressive growth rates and the team’s ethical white-hat mission as the most convincing reasons to invest. According to him, these factors not only promise strong economic returns but also align with our mission to support ventures that contribute to a safer digital world.

‘Our investment in OutKept reflects our confidence in their unique approach to tackling phishing threats. OutKept’s strategy of crowdsourcing potential phishing emails and educating their clients’ employees aligns perfectly with the current needs of enterprise security, especially in the face of increasingly sophisticated AI-fueled social engineering attacks. This proactive and educational approach is a key player in strengthening the weakest link in current enterprise cybersecurity: human awareness,’ Mr Kucera adds.

The Human Factor in Cyber Security

Olga Voloshyna, Chairperson of the Committee on IT and Cyber Security of the German-Ukrainian Chamber of Industry and Commerce, expands upon the human awareness factor: ‘Regardless of the companies’ efforts to improve their cyber security measures, employees with their weak passwords, proneness to social engineering, and limited knowledge of cyber security remain the primary target for attacks.’

Indeed, recent reports from KnowBe4, particularly 2023’s Phishing by Industry Benchmark Report, confirm this tendency. The research covered 19 industries and over 12.5 million users from 35,600 organizations. It reveals that 33.2% of these organizations’ employees haven’t been specifically trained in cyber security and are subject to the risk of clicking a harmful link, i.e. can potentially fall victim to a phishing attack.

That said, Mr Bauwens estimates awareness of the problem itself as really good. Fortunately, the problem of phishing finds its way into the media nearly often and easily. That’s why, when walking into a room with a partner (MSP/MSSP/VAR) or with a potential client, the OutKept team doesn’t have to dedicate a lot of time to explain that phishing is a big problem, that it is an attack vector in >90% of cyber attacks and growing; and that organizations need to do recurring training to reduce human risk and boost awareness. The introduction of new regulations, like NIS2, is only increasing this awareness, as more organizations need recurring training, or their cybersecurity insurance requires it.

‘Stricter requirements to cyber security enforced by organizational measures are also demanded by the EU’s NIS2 Directive aimed at increasing the level of cyber security in the member states. The Directive requires the companies’ top management to enforce and execute strict control over specialized training in cyber security issues and cyber risk management. Such measures are not only aimed at strengthening the security culture within organizations, but also making the employees better informed and responsible in regard to cyber security both in their professional and personal lives,’ Ms Voloshyna agrees.

Phishing and SMEs

However, it wouldn’t be fair to link the danger of phishing to the human factor exclusively. There is still a lot that can be done on the organization level in this regard. Here, it is important to know that different organizations have different capacities for withstanding cyber security threats, including phishing.

‘All companies, in all industries, suffer from phishing, but there is an important group that has been left out when it comes to solutions: SMEs. Phishing simulations with training are something that the financial sector, in particular banks, have been doing for a long time. However, mostly as a ‘test’, less as a training methodology in itself. It is also expensive and time-consuming,which puts it out of reach for smaller organizations, under 500 FTE,’ Mr Bauwens points out.

Naturally, such organizations rarely have the funds to pay for in-house cybersecurity profiles, and external consultants can be too expensive for them as well. As such, recurring phishing simulations as a training method require a tool that is highly automated, simple to use, but does not compromise on the quality of the phishing simulations.

‘You need local content instead of 3,000 templates to choose from, because you just don’t have the time. That is where OutKept found its sweet spot in the market. We deliver a solution that is ultimately accessible for this large group of companies. It has traditionally been left out, but now it gets increasingly worried due to increased cyber attacks, increased regulatory requirements, and increased requirements for cyber insurance. They don’t need to worry about crafting their own ‘good’ phishing emails anymore, as we offer the option of simply using our ethical phishing community’s simulations instead,’ Mr Bauwens explains.

Building the Ethical Phishing Community

According to OutKept, the platform’s community mostly consists of students who join through ads placed in schools or word of mouth between students. OutKept also tours with guest lectures and presentations around universities, and they enjoy the interest of IT and cyber security students. Reportedly, students are excited about the idea of earning money (bounties) by crafting phishing emails, and they also like to compete for the title of the ethical phisher of the month.

Mr Bauwens adds, however, that the community doesn’t grow through schools exclusively; it has reached the stage where it begins to grow organically. Different people find OutKept on social media or at events: psychologists, former cyber police officers, marketeers, lawyers, etc.

Expansion and Other Plans

With the new investment at hand, the OutKept team focuses on expanding both its partnerships network and ethical phishing community, as well as scaling international sales in 2024. The company can already boast about its first collaborations with partners in the Netherlands and Spain. CEE countries – namely, Poland, Slovakia, and the Baltics, are also priority destinations for expansion. OutKept’s other plans for 2024 include preparing for a Series A round.

‘Phishing simulations are a vital component to address the human risk factor in any comprehensive cyber risk mitigation program. The OutKept simulation approach through their ethical phishers community perfectly mimics real-world phishing threats and is a cost-effective awareness and education solution. It can be easily implemented across a variety of private and public organizations,’ BAN Vlaanderen’s board member Jean-Marie Vliegen sums up.